1. Field of the Invention
The present invention relates to a user authentication system and method, and more particularly to an apparatus and method for establishing user authentication using a password.
2. Description of the Related Art
A conventional user authentication scheme can be established by using a password, by allowing a user to enter his or her prescribed numeric or character information. In this case, the user authentication scheme normally operates on the condition that the input password of the user is equal to or matches the predetermined password. However, the user authentication scheme using passwords has a disadvantage in that it may allow a fraudulent user who recognizes a password of a target system, instead of a correct user, to fraudulently receive a user authentication message.
The aforementioned user authentication system has been widely used for a variety of applications, for example, credit cards, cash cards, mobile phones, computers, etc. FIG. 1 is a conceptual diagram illustrating a user authentication system for credit cards. Referring to FIG. 1, a card reader 10 reads a credit card of a user, and transmits the read card information and the user-entry card password information to a card certification authority 20. The card certification authority 20 determines if the card having the read information is effective or ineffective, and determines if the card password matches to a predetermined card password. If it is determined that the card password matches to the predetermined card password, the card certification authority 20 transmits the result to the card reader 10 in such a way that the user authentication is established.
Another user authentication operation when the card reader 10 is in a cash dispenser will hereinafter be described with reference to FIG. 2. FIG. 2 is a flow chart illustrating a conventional user authentication process upon receiving a password from a user. Referring to FIG. 2, if a user inserts his or her cash card into the card reader 10 to withdraw his or her savings from the bank, the card reader 10 recognizes the inserted cash card, and commands the user to enter his or her password in order to determine if a current user is a correct user. The user enters his or her password according to the password input request at step 200. The card reader commands the card certification authority 20 to determine if the input password matches a predetermined user password at step 204. Upon receiving the user authentication result from the card certification authority 20 that the input password matches the predetermined user password, the card reader 10 performs a user-desired operation according to the user authentication result at step 206. Otherwise, if the user-entry password does not match the predetermined user password, the card reader commands the user to re-enter his or her password a predetermined number of times at step 208 and 210. If the number of password re-entry times is higher than the predetermined number of times, the card reader 10 terminates its operation. In more detail, although another user instead of a correct user fraudulently recognizes a card password of the correct user, the conventional user authentication system unavoidably enables the fraudulent user to receive a desired user authentication message so that the fraudulent user can receive his or her desired service from a service provider such as a bank. However, the conventional user authentication system has not taken into consideration the risk of fraudulent misuse of the card. For example, if a thief robs the user of a credit or cash card and the user unavoidably tells the thief his or her card password, the thief may rob the user of his or her private property.
In conclusion, the conventional user authentication system has been designed to unconditionally establish user authentication when receiving a predetermined password from a user or a third-party user who recognizes the user's card password, such that it allows even the third-party user to receive a desired service from a service provider, resulting in the risk of fraudulent misuse of the card due to authentication of the wrong user.